Select Page

Third Parties, Contracts and B...

Tom Garrubba 09-18-2018

While walking outside on my way to an early meeting, between sips of coffee I was additionally jarred awake by a passing car with the music of Van Halen blaring through the speakers. As a fan of “ea[...]

While walking outside on my way to an early meeting, between sips of coffee I was additionally jarred awake by a passing car with the music of Van Halen blaring through the speakers. As a fan of “early” Van Halen, I snickered to myself recalling the legend of the “Brown M&M’s” in their contract that was often joked about amongst musicians and DJ’s. Later that evening as I returned to my hotel room I did some research into the background of the “Brown M&M’s” story and quickly realized the importance of it with regards to contracts and dealing with third parties.


As many of you will surely know, Van Halen has been one of rock’s premier acts since the 1970’s. However, they were also one of the first bands to take on the road such a massive stage show consisting of, according to the band’s lead David Lee Roth, “Eight Hundred and fifty par lamp lights to illuminate the stage”. Due to the size of such a light set they struggled in the band’s early touring years to get the massive rig into many of the older arenas, as their loading dock doors were ill prepared to handle such a massive spectacle. Additionally, “there were many technical errors — whether it was the girders couldn’t support the weight, or the flooring would sink in, or the doors weren’t big enough to move the gear through”. On top of all that, set up and tear-down times would “grossly exceed” the local union’s overtime, largely because of the time it took for the crew to set up and take down the production – all of which added to the cost of touring.


Roth noted that in most cases, the promotor wouldn’t fully read the contract and would therefore fail to take note of the various structural requirements required and understand the issues (such as loading bearing stress, electrical amperage, etc.) that could cause serious damage to the band, the crew, and even to the audience.


According to Roth, to help ensure compliance to the contract, they stuck in a clause in the technical section of the contract, requiring a bowl of M&M’s to be placed backstage but not to contain any “brown M&M’s”. Now this would normally be characterized as silly “rock star-like demands” being placed on the promotor and venue, but it was actually a rather clever test of whether or not the promotor and other notable parties had thoroughly reviewed and honored the contract fully, including how  the items it contained addressing safety concerns. Roth added that if a bowl of M&M’s was missing backstage, or if brown ones were present, then he and other band or crew members could safely assume that other items in the contract were not reviewed, glossed-over, or worse – completely ignored. The band members and crew would then be within their rights to have the venue inspect the work, ask that it be redone, and – per the terms inscribed in the contract – even force the promotor to forfeit the entire show at full pay. Their concern for safety was real as not only had equipment been damaged, but according to Roth, several members of their road crew were severely injured due to poor preparation and lack of appropriate safety measures on the part of the venue.


A great example he provided to drive home this wisdom was when Van Halen was playing at a university in the mid-west (his autobiography purports it as a gymnasium in Pueblo, Colorado, while an online interview with Roth purports it to be in New Mexico) Roth noted “the university took the contract rather casually”, adding further “they had one of these new rubberized bouncy basketball floorings in their arena. They hadn’t read the contract, and weren’t sure, really, about the weight of this production; this thing weighed like the business end of a 747.” He added that they found some brown M&M’s in the candy jar and Roth “went into full Shakespearean ‘What is this before me?’… and promptly trashed the dressing room, dumped the buffet, kicked a hole in the door…” causing approximately twelve thousand dollars’ worth of damage. He stated that they “didn’t bother to look at the weight requirements or anything (in the contract) and this sank through their new flooring and did eighty thousand dollars’ worth of damage to the arena floor. The whole thing had to be replaced.” Clearly, this could have been avoided if it were not to the ineffective or non-review of the physical requirements needed to hold such a concert.


On top of the structural damage – that had to be replaced – the press blamed Van Halen for the incident. “…It came out in the press that I discovered brown M&M’s and did eighty-five thousand dollars’ worth of damage to the backstage area”.


Can similar events happen to you? You bet. You may not have to deal with moving around massive light and sound fixtures from one town to the next, but how truly confident are you that your vendors really understand what you is required of them? Have you built conditions, service-level bench marks, touch-points, and penalties into the contracts? Are they understood and agreed to by all before it becomes fully executed? Part of employing sound principles of contract review is reviewing all documents with all affected parties (both vendor and business line) and making sure that they not only understand the terms laid out in the contract but that they can fulfil all stated obligations.


The final takeaway of this piece is to remind you of the importance of going over the details – you know, those small things which can lead to bigger problems. It’s a good idea to employ the advice from legendary UCLA basketball coach John Wooden who used to say “It’s the little details that are vital. Little things make big things happen.”


So, with that, do you prefer plain or peanut?

It’s Not You. It’s...

Jenny Burke

We’ve all experienced the end of a relationship. Sometimes the two parties involved are no longer compatible. Maybe one party realizes that it just isn’t working out. Or they’ve found someone be[...]

We’ve all experienced the end of a relationship. Sometimes the two parties involved are no longer compatible. Maybe one party realizes that it just isn’t working out. Or they’ve found someone better. Or perhaps there’s been an unforgivable breach of contract.

Naturally we’re talking about an organization’s partnership with a third-party provider and the importance of mitigating third-party risk. There’s a distinct lifecycle to every business relationship—new relationships, existing and evergreen relationships, renewals and terminations.

Managing third-party contracts can be a delicate matter throughout this lifecycle. When it comes to terminating these contracts, the need to have a well-defined strategy already in place is paramount. A contingency plan built upon established business standards and best practices can help avoid damages, alleviate any reputational risks, and help facilitate a smooth exit.

There are four basic types of termination:

  • Normal: The business relationship is no longer necessary or appropriate
  • Cause: There is irreparable violation of contract terms
  • Convenience: Either you or the vendor has a better arrangement/opportunity
  • Regulatory/supervisory: The vendor cannot live up to regulatory expectations

“Third Party Contract Development, Adherence & Management,” © 2018 The Santa Fe Group, Shared Assessments Program


It’s crucial to ensure that the predetermined terms of the contract are acceptably fulfilled in the final stages of the third-party vendor relationship. This includes any ongoing services with the departing vendor; recovery of work product and intellectual property; data recovery and security; and a seamless transition to the new provider, if applicable.

More specific best practices will need to be implemented if the contract was terminated for cause. For example, was the provider appropriately rated? Did internal controls or assessment methods fail? Was Pen (penetration) testing conducted and evaluated by credentialed testers? These questions can help safeguard third-party business relationships and guide future contract negotiation processes.

In business, as in one’s personal life, it always helps to have an exit strategy, based on open communication and shared expectations agreed upon from the very beginning.

And, you should probably get that in writing.


A brief chat with Tom Garrubba, Senior Director/CISO of Shared Assessment, The Santa Fe Group

In your experience, what are some of the core reasons that a third-party contract is terminated for cause (i.e. fraud or misrepresentation)? What are some examples?

In most cases [the third party] is just not able to achieve what fits into the agreement. Basic cause is when vendors overpromise and underdeliver. Or if they’re falling way behind and start grossly misrepresenting what they said they could do. We need to monitor the contracts. You should be getting something back from the vendor for not living up to contract expectations.

I was in a situation at my previous employer where we had a vendor that did something kind of crafty. A company can turn to a vendor and say, we don’t really have much of an increase in budget next year so we need you guys to hold on to your fees. So this vendor took its offshore support and shifted it from India to China because it’s much lower cost.

They did it on the backend. They’re still supporting your system but now the cost went from $100/hour to $60/hour and they never told the business unit. They didn’t break the contract per se but what they did was kind of unethical, doing something and not telling us about it. You can’t say at that point, I’m taking my ball and going home. But they were banned from all new projects and not allowed to bid on upcoming projects.


How can a business protect itself to mitigate the inherent risks of working with third-party providers?

Get everything in the contract. Organizations I’ve had conversations with are not very good at it – they’re working in a silo. Sometimes they don’t want to focus on risk because they want to get things up and running.

Expect the Unexpected: 5 Keys ...

Tom Garrubba 08-31-2018

As the European Union’s (EU’s) General Data Protection Regulation (GDPR) May 25 effective date approached this spring, its sweeping compliance requirements socked U.S. companies with major surpris[...]

As the European Union’s (EU’s) General Data Protection Regulation (GDPR) May 25 effective date approached this spring, its sweeping compliance requirements socked U.S. companies with major surprises. The regulation’s global jurisdictional reach, EU-specific definition of “sensitive data,” steep penalties, hefty compliance costs, and applicability to customers as well as employees startled more than a few privacy and compliance teams.

Now, as more organizations pivot from achieving compliance to strengthening and refining their GDPR programs, another unexpected – and critical– facet of the regulation must be addressed: the extent to which GDPR elevates third party risk.

Conforming to GDPR requires a methodical approach, and one that should be carefully integrated into a company’s existing third party risk management (TPRM) program. The success of this integration hinges on five crucial considerations. Before weighing those keys to success, it is important to understand how GDPR – and the regulation’s Article 28 requirements in particular – places new requirements on vendors and affects third-party relationships.

The Regulation and Third Party Risk

At its core, GDPR poses numerous new requirements regarding how companies, regardless of their industry or location, manage the personal information of European “data subjects” (i.e. customers and employees). While Google, Facebook and other U.S.-based technology giants must adhere to GDPR, so too must the small Denver-based restaurant chain that attracts European tourists, the fin-tech start-up with an office in Bruges and thousands of other companies.

Complying with GDPR requires organizations to make some fundamental process changes concerning breach notifications, a European citizen’s “right to be forgotten,” the anonymization of personal data and other practices affected by components of the new regulation.

GDPR replaces the EU’s Data Protective Directive, which had been the basis for EU laws that govern data privacy. It is important to note that an EU regulation is legally binding in each Member State whereas EU directives identify results each Member State are required to achieve through national laws that each state can develop on its own. Many of the ways that GDPR differs from the previous directive ultimately require vendor risk management capabilities to be updated and enhanced. These changes include:

  • The extension of legal obligations to service providers (which the regulation refers to as “data processors”);
  • A broader definition, or “higher classification,” of personal data (“sensitive data”) that must be protected;
  • New operational requirements for data processing;
  • Severe consequences for violations, including a maximum fine amounting to the greater of €20 million or 4 percent of global revenue; and
  • A new set of requirements for third party data processors, as laid out in GDPR Article 28.

GDPR also introduces new terminology. Three of the most important phrases include:

  • Processing: Any operations or set of operations – automated or manual — performed on personal data, including collection, recording, organization, structure, storage, adaption, alteration, retrieval, consultation, use, disclosure and more;
  • Data Controller: The entity (i.e. a company) that determines the purposes, conditions and means of the processing of personal data;
  • Data Processor: An entity (i.e. a vendor) that processes personal data on behalf of the controller.

This represents a brief summary of the regulation, which comprises 11 chapters and a total of 99 articles, or subtopics. Of course, managers responsible for GDPR compliance should read through the entire regulation. Article 28 requires closer scrutiny for companies and, even more so, for vendors that qualify as “processors” and must comply with new rules presented in that section (See “Getting a Read on Article 28”).

Integrating GDPR

Conforming to GDPR requires a comprehensive, multi-step process that works in conjunction with an organization’s existing vendor risk management program. (A tool to evaluate this type of program against best practices is available here:

At a high level, organizations should begin with scoping to identity critical vendor relationships that are involved in GDPR compliance. Once these vendors have been identified, organizations should:

  • Understand which GDPR regulations apply to the vendor;
  • Assess the third party’s GDPR readiness;
  • Assess the third party’s overall security posture;
  • Track how the vendor retains, accesses and transfers sensitive data;
  • Address contract provisions to ensure they reflect GDPR requirements;
  • Define key compliance artifacts for due diligence response; and
  • Conduct testing of key privacy controls.

Follow the Data and other Drivers of Success

While a methodical approach to GDPR compliance is crucial, there are several other considerations and practices that have proven helpful in adapting third party risk management programs to meet GDPR requirements. Most of the following perspectives and activities also help strengthen third party risk management programs:

  1. Distinguish processes from procedures: One of the most frustrating – yet, most valuable – aspects of vendor risk management involves the reconciliation of relevant business processes (i.e. how they are executed in practice) to procedures (i.e. documentation that identifies how processes should be performed). When I help an organization address GDPR or TPRM more broadly, my first question zeros in on how things work in practice: Walk me through your processes. My goal is to find out how processes are performed before I look at how that same process is documented in a formal procedure. There are often discrepancies for a number of reasons. For example, procedures frequently have not been updated to reflect process and technology changes. These gaps must be identified and eliminated. After all, procedures represent the record that enforcement teams use to hold your organizational accountable.
  2. Follow the data – and the 80/20 rule: Given how data-driven most organizations have become, keeping a lid on GDPR compliance costs hinges on identifying which systems, applications and data pose the greatest risks. Once compliance teams have evaluated the technical and administrative controls supporting the (roughly) 20 percent of systems that contain 80 percent of GDPR risk, they can expand and refine their scrutiny.
  3. Consider the total cost of non-compliance: In some cases, organizations – especially small- to mid-sized companies contending with resource limitations—may elect to assume some third-party risks rather than spending heavily to protect certain data. This assumption of risk is typically based on the calculation that the cost of the risk materializing would be less than the cost of mitigating it. When this approach is being considered, risk and compliance teams should be sure to include the potential for reputational risk in their calculations. The reputation risks that arise following a major data breach vary by company; these risks are difficult to estimate, but they can be severe. One company’s shareholders and customers may shrug off a cyberattack. Another company, even one in the same industry, may see its share price plummet and its CEO marched before a Congressional hearing (before being sacked by the board) following a similar incident.
  4. Define third parties broadly: GDPR Article 28 makes it clear that an organization’s data-related risk management activities extend beyond its four walls to vendors that process sensitive data. Risk and compliance teams should keep in mind that the types of vendors that process sensitive data extend beyond technology companies. Law firms and consulting firms, for example, routinely have access to organizational data.
  5. Vendors continuously evolve — so should conforming to GDPR: Achieving GDPR compliance is not the same as sustaining GDPR compliance. The same external disruptions and internal changes creating gaps between your own business processes and written producers are occurring within your data processors and other critical vendors. It’s perfectly fine to give the neighbor’s 12-year-old son your house key so he can feed your cat when you take a vacation. It may not be so prudent to continue to entrust that young man with access to your house after he’s arrested for burglary a few years later. The most effective GDPR programs, as well as the best TPRM programs, contain some form of ongoing monitoring of changing vendor processes and vulnerabilities.

A systematic approach to GDPR compliance and its careful integration into a formal TPRM program, combined with an awareness of effective compliance practices, can help companies sidestep the confusion and misperceptions that accompany sweeping regulatory changes. This holds true for GDPR, which despite how it has been reported in many news outlets, is actually not “new” at all. The regulation’s lengthy text has been available to read and assess for more than two years; May 25 marked the first day that the EU could begin enforcing it.

SOC it 2 Me … One More Time...

Linnea Solem 06-25-2018

It’s that assurance time of year again as organizations are kicking into the implementation of their 2018 external audit engagements. We are now under the six-month timeline for new SOC standards to[...]

It’s that assurance time of year again as organizations are kicking into the implementation of their 2018 external audit engagements. We are now under the six-month timeline for new SOC standards to be in place. This is the third year in a row I’ve written about changes in external audit reporting standards that impact service provider controls and executing external assurance engagements. Each year the changes drive maturity, transparency and stronger governance into the process, but also create confusion and need for knowledge. So, let’s dust off the boxing gloves and understand the new assessment protocols that will be in place once we jump back into the audit boxing ring.

Acronyms, Terminology & Methodology – Alphabet Soup
Heavyweight sports fans know terms like Knockout (KO), Clinch. Down & Out. Fall Through the Ropes. Sucker Punch. Throw in the Towel. Prizefighter auditors and assurance practitioners understand terms like AICPA, Attestation. SOC, SSAE18, TSC, CSOC, Carve-outs. Subservice organizations. Qualified Opinion. Information security and IT professionals rely on frameworks like COSO, NIST, and COBIT.

While the terms are quite different the work effort to simply navigate audit standard changes easily creates emotional comparisons to a few of those boxing terms, especially for the non-accountant. Let’s level set on a few of the key concepts that are changing within SOC engagements, but from a more sports fan or business user point of view.

The American Institute of Certified Public Accountants (AICPA) is the national professional organization that sets ethical standards for the profession and U.S. auditing standards for audits of private companies, non-profits, and governments. They have updated their standards and protocols for audit engagements to align with the 2013 Committee of Sponsoring Organizations (COSO) framework which was designed to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. COSO frameworks are traditionally part of the SOX compliance program for financial accounting of public companies.

The changes in the SOC audit reporting will be effective for audit periods ending on or after December 15th, 2018 . That means the changes will be effective for all engagements in 2019, triggering readiness, migration, and process changes in 2018. During this transition, for audit engagements executed in 2018, a company can choose to early adopt the new criteria structure or continue with the current Trust Services Principles.

Report Changes and Updated Naming Conventions
The methodology standards set out in the SSAE18 framework will now apply to all SOC2/SOC3 reports. Those changes include the requirements to clarify control ownership when there are subcontractors or sub-service organizations in scope for the system being assessed. With the remapping effort to the COSO framework, additional terminology changes for SOC audit reports have been defined:

  • SOC: Was Service & Organizational Control and now is System & Organizational Control.
  • SSAE: Statements on Standards for Attestation Engagements.
  • TSPC and TSC: Trust Services Principles & Criteria (TSPC) are being renamed Trust Services Criteria(TSC)
  • Principles & Categories: Principles will now be called categories, but they still focus on security, availability, processing integrity, confidentiality, and privacy of a system.
  • Risks/Controls: Within the report structure and protocol, the assessor will now use terminology of “points of focus” for the specific control topic area being reviewed.

A SOC2 report must include the Security Category, with all the Common Criteria, and may include the additional categories. Each category will have their own unique criteria to be met as part of the audit. These changes expanded the number of common control criteria and streamlined some of the additional criteria in the Trust Services Categories.

Changes to the Criteria for Audit Engagements

It is important for all organizations to prepare for the new requirements to build out process maturity in conjunction with this year’s audit engagement. The requirements will apply to service providers who use a SOC report to provide assurance to their clients; but also, will trigger changes to the processes a service provider uses to get assurance from its fourth parties.

Implications for Service Providers
External assurance audit reports are a mechanism to provide independent assurance and testing of controls. Each service provider defines the type of audit engagement needed to meet their client contractual obligations based on the systems and services that are outsourced. With the growing focus on cyber security and enterprise risk management, many of the changes in common controls have broadened beyond traditional IT controls or public company financial controls. The shift to include risk management functions and programs will trigger the need for additional control owners, compliance documentation, processes to be tested, and includes operational risk management programs.

There are eight new common criteria related to the alignment with COSO principles:

  • Board oversight
  • Use of information to support internal control
  • Sufficiency and clarity of the entity’s objectives
  • Identification and assessment of changes
  • Controls deployed through formal policies and procedures
  • Procedures to identify new vulnerabilities
  • Business disruption risk mitigation
  • Vendor and business risk management

Third party risk management functions may be implicated in many of these criteria but the focus on Vendor and Business Risk Management as a common control in scope for all engagements shows the growing attention to third party risk. The inclusion will provide a deeper dive into the third-party risk management program structure, implementation, governance and risk reporting. The third-party risk management program elements that will be assessed, audited, and tested include:

  • Requirements for Vendor and Business Partner Engagements
  • Vendor and Business Partner Risks
  • Responsibility and Accountability for Managing Vendors and Business Partners.
  • Communication Protocols for Vendors and Business Partners.
  • Exception Handling Procedures from Vendors and Business Partners.
  • Vendor and Business Partner Performance.
  • Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments.
  • Procedures for Terminating Vendor and Business Partner Relationships.
  • Process to obtains Confidentiality Commitments from Vendors and Business Partners.
  • Assessment process for Compliance with Confidentiality Commitments of Vendors and Business Partners.
  • Process to obtains Privacy Commitments from Vendors and Business Partners.
  • Assessment process for Compliance with Privacy Commitments of Vendors and Business Partners.

Each of these operational processes are part of the implementation of a third-party risk management program structure. However, to make the controls auditable and testable will require not only compliance documentation but artifacts and testing of the controls, to provide evidence to auditors of the implementation of the third -party governance program requirements. Multiple regulatory drivers are triggering changes to mature the third- party risk governance process. Creating an external assurance maturity calendar, requires taking a long view, embedding into readiness this year for what is tested next year.

Business Readiness
While it can be easy to feel like throwing in the towel, the reality is the SOC boxing matches will continue, and evolve as new scoring mechanisms are defined. Here are six readiness steps to tackle, one per month to avoid feeling on the ropes or down for the count while you prepare for an audit of your third-party risk governance program.

    1. Policies: Review and create a comparison of the Vendor and Risk Management criteria to your Third-Party Policies and Procedures. Plan for need for additional compliance documentation, process maps.
    2. 2. Employee Knowledge: Prepare employees who manage controls, by sending out a self-assessment of their understanding of the roles, accountabilities and governance for third party risk. Update control owners, assess internal expertise and identify gaps
      3. Technology: Conduct an assessment with your current GRC tools to prepare for any IT or configuration changes
      4. Benchmark: Refresh benchmarking the maturity of your Third-Party Program to the Vendor Risk Management Maturity Model
      5. Risk Reporting: Review existing scorecards, dashboards and management reporting on third party risk governance and identify changes to meet the new common criteria.
      6. Process Refinement: Embed security, confidentiality, and privacy commitment processes into a common third party continuous monitoring process.

    Yes, audit standard changes can feel daunting, and complex. However, just like there are weight levels in boxing to make the fights fair, assessing a third-party program is also risk based. Focus on the critical activities, critical services, critical controls, and third-party relationships, most of these requirements are not dramatically new, they are simply driving maturity into the third-party risk governance program that have been in place for financial controls.

    Linnea Solem is a former Shared Assessments Program Steering Committee Chairperson, and current Advisory Board Member. She is the President and Founder of Solem Risk Partners, LLC a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management.

Cybersecurity and National Sec...

Sylvie Obledo 05-29-2018

The tone of resilience followed the 11th Annual Shared Assessments Summit to the Santa Fe, New Mexico home of Catherine A. Allen, Chairman and CEO of The Santa Fe Group. Recovering from an email hack,[...]

The tone of resilience followed the 11th Annual Shared Assessments Summit to the Santa Fe, New Mexico home of Catherine A. Allen, Chairman and CEO of The Santa Fe Group. Recovering from an email hack, Cathy hosted sixty guests who enjoyed her signature Missouri ham, dined al fresco in the courtyard as the sun set, and listened to an esteemed panel of subject matter experts speak about Cyberwarfare and National Security: What Americans Need to Know.

Senator Jeff Bingaman, former US State Senator from New Mexico, reinforced the importance of cyber issues and the urgent need for Congress to understand this importance. He introduced the evening’s panelists including:

  • Catherine A. Allen, The Santa Fe Group
  • Mark Fidel, Co-Founder of RiskSense, Inc.
  • Damon Martinez, Former U.S. Attorney and Congressional Candidate
  • Valerie Plame, Former CIA Operative, Author and Cyber Expert

Damon Martinez, former U.S. Attorney and Congressional candidate, covered cyber threats to our democracy, the evolution of protection technologies, protecting voting machines and the undermining of the fundamental basics of our democracy. He spoke about the role of New Mexico National Labs, airspace and missiles and showed Russia’s development of strikingly similar technology to ours, subsequent to us developing it first, in his handout entitled “Emerging Threats: Russian Interference in U.S. Elections and the New Frontier of Cyber Security”.

Mark Fidel, Co-Founder of RiskSense, Inc. focused on vulnerabilities including threat and vulnerability management, election systems vulnerabilities, and the supply chain of digital information that serves the labs in and out of New Mexico. Citing the issues surrounding our election system, Mark described the various vendors involved with the management of the voting process and his commitment to shoring up our systems to protect our democracy and to ensuring a fair, free, and accurate election process.

Valerie Plame, former CIA operative, author, and cyber expert shared her expertise in nuclear proliferation and experience with The New War: Cyberwarfare. Valerie described the relationship between international security and cyberwarfare, our adversaries, and why we should be concerned about Iran, North Korea, China and Russia. Speaking to the gray area between war and peace, she explained the financial benefits of war to a few versus the low profit margin of fighting cyberwarfare.

Catherine A. Allen, Chairman and CEO at The Santa Fe Group and corporate board director, explained the concern of cyberwarfare and critical infrastructures as well as the impact of cyber tactics. Sitting on several boards including that of El Paso Electric Company, Cathy knows the corporate perspective on cyberwarfare. She described the impact of fake news with a visual graphic in hand and reinforced the importance of data integrity. In addition to the media biased chart, The Santa Fe Group provided handouts and multiple relevant materials to guests, including Cathy’s “Cyberwarfare and Critical Infrastructures” and the Ponemon Institute’s “Second Annual Study on The Internet of Things (IoT): A New Era of Third-Party Risk” sponsored by Shared Assessments, a program under The Santa Fe Group umbrella. Handouts quickly moved into guest’s hands as Cathy emphasized that protecting one’s personal and company assets are a must in today’s world of new warfare.

Stating there are not enough people in public policy who are aware of cyber issues and the impact associated, panelists recapped their concerns and suggestions as:

  • Heighten awareness of one’s own biases – go far and wide and beyond
  • Education is key
  • Think
  • Stay strong and informed
  • Voice your concerns about cyberwarfare and the threat to our democracy and safety to your Congressmen
  • Vote

The sun set. And as guests left, they left more aware of cyber threats, than when they arrived, with a tone of resilience.


Sylvie Obledo is a Project Manager with The Santa Fe Group, Shared Assessments Program. As Project Manager, Sylvie facilitates thought leadership and collaboration of leadership teams and a variety of groups including the Continuous Monitoring Working Group and Vertical Strategy Groups in industry sectors including Asset Management, Consumer Product Goods, and Insurance. Her scope of work requires creative problem solving, planning, organization, and managing multiple timelines.

Summit Day Two: Recap...

Jenny Burke 05-21-2018

If you haven’t already seen our 11th Annual Shared Risk Assessments Summit Day One recap, read it now. Day two of the Summit was equally educational and our line-up of all-star speakers did not dis[...]

If you haven’t already seen our 11th Annual Shared Risk Assessments Summit Day One recap, read it now. Day two of the Summit was equally educational and our line-up of all-star speakers did not disappoint as we dove deeper into exploring the theme of resilience within the third party risk community and beyond.


Breakfast with Bitsight

Day Two of our 11th Annual Shared Risk Assessments Summit began with a breakfast case study presented by Bitsight. The case study begged the question “Is it possible to improve security of existing vendors without contract changes or requirements?” This imperative question had us all thinking about how we should better communicate our initiatives to management, with the note that collaboration does not work with bad data.


Slow Down to Speed Up

After breakfast, we had the pleasure of hearing from Wafaa Mamilli, Executive Technology and Digital Leader, Eli Lilly, on Fostering Resiliency from Within Your Organization. One concept Wafaa stressed was the need to slow down in order to speed up. It’s crucial to our organizations and our teams to take the time to have development days, regardless of how busy things are at the office. In order to achieve operational excellence, we need to take a step back, examine our team of teams, and think on how we can best work together based on our strengths and weaknesses.



Next, we began our first panel discussion of the day on Privacy and GDPR. With the impending May 25th GDPR deadline, this panel could simply not be overlooked. Moderated by Linnea Solem, Founder and CEO, Solem Risk Partners, the panelists included: Lisa Berry-Tayman JD, Sr. Manager, Privacy and Information Governance, CyberScout; Nathan Johnson, Advisor – Global Privacy Office, Eli Lilly; and Andrew McDevitt, Senior Privacy Analyst – Global Privacy Office, Northrop Grumman. Some key takeaways from this panel discussion were that you can outsource your work, but you can’t outsource the responsibility that comes with it. In times of doubt, Lisa Berry-Tayman JD suggested that we ask ourselves, “What Would Data Subjects Want?” Half-jokingly, she mused that we make bracelets with WWDSW imprinted on them, serving as a constant reminder to put the data subjects first—there should never be anything unexpected happening to their data.


Stopping Silos

Following this entertaining, yet informative panel, we moved on to our second panel discussion of the day; Trends in Risk Rating and Continuous Monitoring. Emily Irving, Assistant Vice President, Manager, Enterprise Third Party Risk Management, Wellington Management, moderated the panel, which included Jonathan Dambrot, CEO and Co-Founder, Prevalent, Inc.; James Gellert, Chairman and CEO, Rapid Ratings; and Atul Vashistha, Chairman and CEO, Neo Group & Supply Wisdom. The panel stressed that risk doesn’t just happen in one part of a company in an isolated area. Particularly in a company that is weakening, they are going to be cutting corners and investing in other areas, which could expose them to more risks and negatively impact cyber security down the road. While there’s no way to catch everything, having the proper systems in place for addressing the monitoring of the company more closely is crucial—a community-driven effort is the only way to mitigate third party risk.


Program Update

Following a brief Exhibitor Networking Break, we heard from our own Robin Slade, Executive Vice President and Chief Operating Officer, who moderated panelists Shawn Malone, Shared Assessments Chair and Founder and CEO, Security Dilligence, LLC and Glen Sgambati, Shared Assessments Program Vice-Chair and Customer and Industry Relations Executive, Early Warning Services, on Shared Assessments program updates. One of our main questions to attendees was their preference on the format of our Certified Third Party Risk Professional (CTPRP) designation from the Shared Assessments program—in-person, or online? If you have a strong opinion on this matter, feel free to contact us and let us know… we’d love to hear from you!


SAI Global Case Study

After learning more about our Shared Assessments program, we were presented with a case study from SAI Global, which focused on traceability in the supply chain, citing examples from the pharmaceutical industry.


The Bottom Line

The Day Two lunch buffet was just as delicious as the first, and during the break, attendees had the opportunity to check out two different Solutions Showcase sessions, one presented by Opus, and the other by RiskRecon. After the break, we began a panel discussion entitled, Third Party Risk Research Update, which was moderated by our own Gary Roboff, Senior Advisor, and included panelists, Rocco Grillo, Executive Managing Director, Stroz Friedberg; Charlie Miller, Senior Vice President, The Santa Fe Group; Paul Kooney, Managing Director, Protiviti, Inc.; and Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute. The panel focused on IoT and risk. When it comes to risk, it’s not just the regulatory data, it’s the disruption of business and availability. Nothing hits a company harder than the impact to its revenue. Whether you’re a fortune 500, a midsize company, or a mom and pop, if your bottom line is getting hit, your company will receive negative attention.


The Three C’s

Following the final exhibitor networking break of the Summit, we heard from an all-star female panel consisting of Wafaa Mamilli, Executive Technology and Digital Leader, Eli Lilly; Anne Lim O’Brien, Global CEO & Board Practice and Global Consumer Practice, Heidrick & Struggles; Ceree Eberly, Former Senior Vice President and Chief People Officer, Coca-Cola Company; and Elena Steinke, Director, Women’s Society of Cyberjutsu, which was moderated by Joyce Brocaglia, CEO, Alta Associates. One of the key takeaways from this panel discussion on Talent Management was how soft skills play a key role in team dynamics. Additionally, in order to be a part of the boardroom, employees need to exhibit the “three C’s”:

  • Curiosity
  • Courage
  • Collegiality

It is with these three “C” characteristics that employees can become agile learners who thrive in the workplace.


Will Machines Replace Us?

After this lively discussion, we moved on to the last panel discussion of the Summit on data science/analytics, AI, and ML with panelists Vicki O’Meara, President and CEO, Analytics Pros, and Stephen Boyer, Co-Founder and CTO, Bitsight Technologies.

While consumers enjoy the personalization of their shopping and living options thanks to marketing data, what’s the appropriate use of this data, who owns it, and how do we put a governance process in place? In addition to these questions, the panel had our attendees deep in AI speculation, asking the following questions:


  • How will the essence of what we’re creating be helpful, not hurtful?
  • How will human ethics be encoded into self-driving vehicles?
  • Will machines replace us?


Concluding the 2018 Summit

The final panel definitely gave us a lot to think about as we concluded the day. The event ended just as it had begun, with remarks from our CEO, Catherine Allen. From there celebratory drinks, hors d’oeuvres, and even karaoke were enjoyed at the closing reception.


Save the date for April 10-11, 2019 for the 12th Annual Shared Assessments Summit.


Shared Assessments Releases Ne...

Charlie Miller 05-15-2018

Shared Assessments has released new Standards for Performing a Standardized Control Assessment (SCA).  The Standards were developed during the past year by a task force comprised of Steering Committe[...]

Shared Assessments has released new Standards for Performing a Standardized Control Assessment (SCA).  The Standards were developed during the past year by a task force comprised of Steering Committee members and staff, and were repeatedly vetted with senior practitioners to ensure they were both reasonable and accomplished the primary goal of improving the consistency of the SCA assessment process.

These new standards are intended for use by any third party risk assessor that utilizes the 2018 (and subsequent) Shared Assessments Standardized Control Assessment (SCA) procedures – formerly the Agreed Upon Procedures (AUP). The SCA is a carefully honed and objective set of testing procedures designed to validate the effectiveness of third party controls through onsite testing. SCA test procedures have been reviewed and updated annually since 2005 and align with the Shared Assessments Standardized Information Gathering (SIG) questionnaire.

The SCA Standards will be used by members of the Shared Assessments Program, tool purchasers and assessment firms (including Certified Public Accounting firms) who hold license to the SCA procedures. They cover: the purpose; objectives; participants; scope of work; assessor qualifications; limitations; assessment process; reporting; sharing of reports; and quality assurance practices to be followed when performing SCA procedures.

Highlights of the new standards include:

  • Participants: The Assessee and/or the Outsourcer must hold a license to use the SCA, and the Assessment Firm (Assessor) must be a member of the Shared Assessments Program and hold a license to the SCA.
  • Assessor Qualifications: The Lead Assessor for an SCA Engagement must hold a Shared Assessments Certified Third Party Risk Assessor (CTPRA) Certification and a Certified Third Party Risk Professional (CTPRP) Certification.
  • Reporting; The Assessor will utilize the SCA Report Template to document the results of the SCA Engagement
  • Sharing of Reports: Participants will agree upon any restrictions, limitations or requirements for sharing the SCA Report as part of the contract process.
  • Quality Assurance: The Outsourcer or Assessee will ensure that the Assessment Firm has performed the engagement in accordance with its own internal quality assurance practices and verified that the Assessment Firm is a current member of the Shared Assessments Program.


The compliance date for adherence to SCA Standards is May 31, 2019.


Summit 2018 Day One: Recap...

Jenny Burke 05-08-2018

Our 11th Annual Shared Risk Assessments Summit took place on April 11-12 at the Ritz Carlton in Pentagon City, VA and brought together thought leaders throughout the risk industry. The theme of this y[...]

Our 11th Annual Shared Risk Assessments Summit took place on April 11-12 at the Ritz Carlton in Pentagon City, VA and brought together thought leaders throughout the risk industry. The theme of this year’s Summit was resilience, and our 300+ attendees were able to hear from subject matter experts across an array of different industries on how to stay resilient amongst an abundance of new concerns.


Opening Remarks

The day started with opening remarks from our CEO, Catherine Allen, who discussed these new concerns, namely, cyber warfare, fake news, supply chain disruptions, AI, and IoT, and how to focus on detection strategies—we live in an era of when, not if. Following her opening remarks, she introduced our keynote speaker, and first ever recipient of our new Lifetime Achievement Award, Richard Clarke.


The Importance of Cassandras in Risk

Clarke, CEO of Good Harbor LLC, explained the importance of “Cassandras” in assessing risk. AI, genetic engineering, and the IoT are all current fields where experts have data that proves we are going to have significant problems, but nothing is being done about it.

When it comes to risk management at the national and corporate level, these outlier experts are being ignored. Clarke stressed the importance of systematically looking for Cassandras and being willing to listen them, despite the risk seeming outlandish, or even laughable.

While we don’t necessarily need to believe the Cassandra, we do need to give them enough credibility to show the data. Companies may need to adjust so that when they start to see what the Cassandra is predicting, they’ll already have contingency plans in place. As risk professionals, we need to take heed of the Cassandras, start making decisions, and reallocating resources in order to do things differently and mitigate the effects of catastrophic events.


New Vulnerabilities

Following Clarkes eye-opening keynote, we began our first panel discussion entitled, “The Future is Now: Emerging Technologies and the Impact on Controls.” The panel, moderated by Joe Prochaska, Synovus Financial Corp, included Holly Dockery, Sandia National Laboratories; Catherine Lotrionte, Georgetown University; and Jeff DeCoux, Hangar Technology. The panel focused on Artificial Intelligence (AI) and Internet of Things (IoT)—one of the main takeaways was the vulnerability that these new devices open us up to, and how manufacturers need to start stepping up and start involving the entire management team when evaluating the risks and exposures of their devices. Everyone should have visibility into what their technology can do and what the risks could entail.

Frameworks to Make the Dream Work

After a brief networking break, we began our second panel discussion on “Third Party Risk Frameworks.” The panel, moderated by Roger Parsley, Deutsche Bank, included Mark Holladay, Synovus Financial Corporation; Lin Lu, Freddie Mac; and Renee Forney, Capital One; and focused on how third party risk management fits into different organizations. The panel agreed that we in a new era of risk management, so it’s crucial to increase our skills and expertise in order to fulfill our responsibilities, no matter what the size of our organization. While risk classifications have changed over time, tiering is still important and mission critical vendors are integral to our risk framework, whether we’re at a small company, financial institution, or enterprise corporation. Lin Lu, Freddie Mac, said it best when she stated, “…third party risk is no different than any other risk.” Additionally, the panel touched on how emerging technologies are impacting how we handle third party risk and the importance of scalability. Organizations need to ask themselves:

  • What risks do we have?
  • What risks are we willing to take?
  • What risks are we not willing to take?
  • How does that impact the strategic goals of our business?


Believe in Your Mission

Following the frameworks panel, we enjoyed a case study presented by Prevalent. Brenda Ferraro, Senior Director, led the discussion with customer Bob Maley, Senior Strategist at PayPal.  Maley stressed the importance of understanding your company’s mission—if you’re building a program that’s driving your mission, when the regulators and examiners come in, it’s going to be easy. He also introduced the concepts of Chen, the things that everybody knows you do, and Chi, the unexpected, and explained how they relate to risk—if we do the same things over and over, the chen and chi flip. We have to figure out unique ways of staying ahead and understanding the risk of our vendors.


Making a Vendor Naughty List

After a delicious lunch buffet, and Solutions Showcases presented by Prevalent and Security Scorecard, we returned to hear insights on third party risk and resiliency from industry thought-leader Jim Routh. Routh gave us the frightening example of “Tina and Tony,” the office manager and broker who did not go through the proper authentication processes when using Amazon Web Services. Since “Tony” did not like passwords, there was no encryption or logging, which led to a security researcher finding and publishing the data, ultimately leaving him without a business. The main takeaway from Rouths’ presentation was the need to educate our third party vendors on their configuration of cloud controls. Finally, if you don’t have a vendor naughty list, you should—vendors need to be held accountable to the same high internal standards.


Will China Overtake Us?

Perhaps even more frightening than Routh’s “Tony and Tiny” example were John M. B. O’Connor’s thoughts on supply chain risk. O’Connor, Chief  Executive Officer, J.H. Whitney Investment Management, LLC highlighted the fact that we’re stepping into an unknown domain of technological complexity and the need to pivot hard and fast to global geo-politics, or risk being overtaken by China. O’Connor even cited how Henry Kissinger spent the majority of his career making sure the US was always more important to China than Russia. We need to widen our aperture and observe more broadly in order to put ourselves at the strategic level and fight at the strategic level.


People are the Problem… And the Solution

After this frighteningly eye-opening presentation, O’Connor joined our next panel discussion, which included Jim Routh, Chief Security Officer, Aetna, and Rocco Grillo, Executive Managing Director, Stroz Friedberg, for a discussion on resiliency. They highlighted how people are our biggest strength, but also our biggest vulnerability. We have to use the innovation in technology to shrink the threat of risk and acknowledge that behaviors at every level are subject to continuous monitoring. Redundancy is expensive and useless—we need to define resilience, create a sense of community that can endure stress, and have faith in the resilience of these community members to be strong enough to let go of the superficial senses of privacy.

Maintaining Personal Resilience

Following a brief networking break where attendees were able to mingle with our exhibitors, we returned for a heart-warming discussion on personal resiliency with Ambassador (ret.) Mary Ann Peters, Chief Executive Officer, Carter Center. According to Peters, who has had a long and rewarding career where she had to quickly adapt to different cultures, the top 5 keys to personal resilience are:

1) Be flexible and adapt to change

2) Embrace ambiguity

3) Get tough, but stay charming

4) Learn from mistakes and failures

5) Focus on helping others


Get Your Regulatory Geek On

Day one concluded with a panel discussion on the regulatory landscape, moderated by Ken Mortensen, Data Protection Officer, InterSystems Corporation, with panelists Valerie Abend, Managing Director, Accenture Security; Kevin Greenfield, Director for Bank Information Technology, Office of the Comptroller of the Currency; and Adam Greene, Partner, Davis Wright Tremaine LLP. As we watched Abend get her “regulatory geek” on, we were asked to contemplate our responsibilities in terms of the broader environments. As third party risk analysts, we need to push the needle a bit more, ask ourselves where we are going to start to fix some of the problems, and ensure that we’re operating at the level we need to operate with the level of assurance that every one of our parties is going to be confident in.


Celebrating Day One

We ended the first day of the conference with a reception, sponsored by SecurityScorecard—appetizers, refreshments, and networking with other risk professionals were the perfect conclusion to day one of our 11th Annual Shared Assessments Summit.


Stay tuned for our summary of day two!





What Would Data Subjects Want?...

Linnea Solem 04-19-2018

Last week at the Shared Assessments Annual Summit on third party risk, I had the chance to co-facilitate a half-day workshop on The Pivot to Codification of Best Practices of Third Party Risk Manageme[...]

Last week at the Shared Assessments Annual Summit on third party risk, I had the chance to co-facilitate a half-day workshop on The Pivot to Codification of Best Practices of Third Party Risk Management Best Practices, plus moderate a discussion panel on the current privacy landscape.  Not surprising that GDPR was top of mind for many of the over 300 third party risk professional attendees, but so was digital privacy a topic not often deeply discussed when addressing the tenets of third party oversight. But, as risk professionals know, timing is everything. Having a third-party risk summit in Washington D.C during testimony by Facebook Inc. CEO Mark Zuckerberg, made for lively and thought-provoking dialog by participants.

While the starting point of the dialog was on the state of GDPR readiness, the overarching themes started to emerge in a broader context.  So, let’s get the GDPR discussion out of the way, and the tipping point we experienced in our workshop and panel.

Five things on GDPR

  1. GDPR enforcement is close – the grace period is ending
  2. GDPR is complex due to unintended consequences
  3. There are no simple guarantees to determine if your vendors are GDPR compliance
  4. Following the data daisy chain is daunting to determine GDPR scope
  5. It’s a cloudy legal environment – GDPR guidelines require context and interpretation

The dialog on data maps, data protection impact assessments, data transfers, breach notification, and subcontractors are familiar concepts to most Information Technology, Security, and Risk Professionals. Whether requirements are coming from GDPR, OCC, NY DFS Section 500 or SEC Cybersecurity Disclosure Guidance, the expectations for maturing third party risk oversight are maturing along common themes.

The hype on GDPR has been the fear in the C-Suite of the potential for 4% fines and the burden it will place on many organizations to address new obligations. However, GDPR constructs of Data Controller” and “Data Processor” roles are becoming a more accepted framework internationally when looked at from the data subject point of view.  Implementing data portability and the right to be forgotten are absolutely requirements focused on the rights of the data subject.  At its core, GDPR is all about privacy rights, which is beyond a compliance checklist, but speaks to the culture and ethics of organizations. Focusing on only meeting the “legal” obligation vs. what is “right” thing to do can be short sighted.

Many organizations may be missing an opportunity to treat GDPR readiness as an opportunity to affirm customer trust. Transparency and disclosure of consumer privacy rights should not be simply looked at as a compliance burden, but an opportunity to send a positive message to customers.  Don’t let the customer or data subject become the last area of focus in your readiness and GDPR program management plan.

The consumer theme became even more apparent due to the serendipity of having risk management sessions amid congressional Facebook, Inc. testimony.  The questioning on data sharing and usage disclosures requires looking at this not only from an organizational but consumer’s rights point of view. While the audience makeup was more technology savvy than other conferences I have attended, it was sadly amusing to see how little some of our D.C. legislators knew about how social media works. Data sharing platforms are designed to deliver customized content.  The purpose of the platform is about collecting and using data to sell content and provide a consumer application. Customization can’t occur without collecting and using elements of data. The concept of consent and how it is obtained I think will be the broader implication to reconciling U.S. Privacy Law and EU based models.

We are living in a mobile world that is becoming even more digitally connected, with layers of third party relationships involved in the internet ecosystem. That genie is out of the bottle to use a tired expression, but now that genie is in the cloud, and there is not any going back to the days of analog.

Five things on Digital Privacy

  1. Make sure that social media/web marketing providers have contracts that outline not only their obligations but the limitations they must adhere to.
  2. For marketers, educate within your organization on the differences between explicit and implicit consent. Likely your own C-Suite may not understand those differences and the limitations on data utilization.
  3. Remember that customers have a short attention span and memory of what they agreed to when they signed up for a service. Don’t just inform when a change has occurred but put reminders into ongoing campaigns.
  4. Privacy is personal. Just like there are different risk appetites, there are different privacy appetites. Recognize that you must think about customers from both ends of the privacy risk continuum.
  5. Don’t just hide the terms in the click agreement – enable privacy preferences with easy to use options. Put the consumer or data subject first.

Our ending privacy take-away to the attendees, was to get yourself a rubber bracelet, commonly used to promote causes, but this time your cause is the consumer or data subject. That privacy bracelet, “What Would Data Subjects Want” is your litmus test to assessing requirements, changes, or interpretation for those gray areas of privacy compliance. So, wear your privacy bracelet with pride as a constant reminder as you navigate the upcoming year of change in privacy and data protection!  #WWDSW

Privacy Panel:  (Moderator) Linnea Solem, President Solem Risk Partners, LLC and Advisory Board Member and Chairperson of the Shared Assessments Program Privacy Working Group; Andrew McDevitt, Sr. Privacy Analyst, Northrop Grumman; Nathan Johnson, Sr. Privacy Manager, Eli Lilley and Company; and Lisa Berry-Tayman, Sr. Manager, Cyberscout Solutions.

The Fraud Implications of Weak...

Bob Jones 03-19-2018

By Bob Jones, Senior Advisor, The Santa Fe Group   There are three different aspects of fraud that are relevant to third parties. The first is defalcations by the third party’s employees [...]

By Bob Jones, Senior Advisor, The Santa Fe Group


There are three different aspects of fraud that are relevant to third parties. The first is defalcations by the third party’s employees exploiting inadequate internal controls.  The second is fraud perpetrated by the principals of the third party. The third, and most common, is data breaches perpetrated by both insiders and outsiders.


As a Certified Fraud Examiner, I subscribe to the Fraud Triangle, defined by noted criminologist Donald Cressey, that describes the three causative elements of occupational white-collar crime.  The elements are: pressure (usually an unsharable financial need); perceived opportunity; and the ability to rationalize the act.


Typical rationalizations include: “I’m just borrowing it and will pay it back”; “They’ll never miss it”; “Everybody does it”; “They owe it to me”.  The greater the person’s need, the less opportunity he requires to act.  Conversely, the greater the perceived opportunity, the less need required to act.


Understanding the fraud triangle illustrates the white-collar crime truism that only a trusted employee will steal. I am occasionally engaged by banks to provide independent expert testimony in litigation involving fraud claims. In the last few years most of the lawsuits I have been involved in have been brought against banks by small to mid-sized businesses alleging that their business’ losses arose from their employees’ embezzlements that were facilitated by the bank’s failure to detect those actions. Quite frequently, however, my bank clients are able to show that the embezzlements resulted from the business customer’s employees’ exploiting the lack of effective internal controls at the customer’s level.


Another point of opportunity arises during the confusion and uncertainty endemic in the integration phase of mergers/acquisitions that offer particularly fertile ground for embezzlement. Employees worried about their future can be tempted to set up their own “severance packages”. Research to resolve imbalances in financial accounts can be delayed, because of the assumption they are the result of errors or carelessness, instead of defalcations.  In fact, these periods demand greater scrutiny.


The second aspect is fraud perpetrated by the principals of the third party. A recent example is the February 27, 2018 guilty plea by a senior executive of a large soft drink corporation in a federal prosecution resulting from his incorporating a marketing & promotions firm in his wife’s name. He hired her firm to provide goods and services to his employer, and, over a 10-year period, submitted more than 200 false invoices totaling more than $1.7 million. He is scheduled to be sentenced in June for wire fraud and for failing to report his fraudulent income on his tax returns.


The third, and most common aspect of fraud, is data breaches perpetrated by both insiders and outsiders. While most typically considered information security issues, most often the intent of acquiring the Personally Identifiable Information and/or Protected Health Information obtained through a breach is to commit fraud.


What these three aspects have in common is that their impact can be reduced by a sound Third Party Risk Management (TPRM) program that incorporates a vendor selection process that includes elements such as:

  • An assessment of a prospective third party’s internal control regime to ensure it contains basic controls, such as segregation of duties and physical and virtual access control. More rigorous attention needs to be applied in merger/acquisition situations.
  • An assessment of the candidate vendor’s financial viability. With publicly traded firms, that assessment includes audit reports and SEC filings; and with small, privately held firms, a review of tax returns and principals’ backgrounds (education, professional, criminal). This assessment would apply to any prospective third party relationship.
  • Similarly, the outsourcer will want to inquire into the third party’s reputation. Dun & Bradstreet, other business rating companies, client references and social media can provide insight.
  • Vendor responses to Requests for Information (RFI) from an outsourcer can provide valuable information about a prospective vendor’s general suitability by making sure that RFIs include questions dealing with:
    • Licenses and certifications.
    • Ongoing/pending litigation.
    • Operational/fraud loss experience.
    • Insurance coverage, e.g., Errors and Omissions, cyber, etc.
    • Resiliency.
  • Task/service-specific assessments using responses to Requests For Proposal (RFP). RFPs should:
    • Specify outsourced functionality.
    • Specify desired service levels.
    • Specify security hygiene expectations in detail (level should always meet the outsourcer’s internal security expectations).
    • Seek arm’s length security evaluations if recent and relevant.
    • Specify resiliency expectations: disaster recovery, etc.
    • Obtain information for input into an Anti-money laundering, Bribery and Corruption (ABC) check.
    • Specify desired audit rights and commitment to closing open risk related issues within a specified time period.
    • Obtain references.
    • Solicit information about the third party’s third parties who would be deployed to provide the service/function.


Ultimately, preventing fraud from all three of the causative elements relies on robust TPRM program hygiene, which requires that the program ensures the security and other controls at the vendor level always meet the outsourcer’s internal security expectations.


Santa Fe Group Senior Advisor, Bob Jones, has led financial institution fraud risk management programs for nearly 50 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.